Information on data protection

 

This data protection notice is to inform you about how we handle your personal data and about your rights under the European General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). ORCA van Loon Communications GmbH is responsible for data processing (hereinafter referred to as “we” or “us”).

 

Contents

I. General information.

II. Data processing on our website.

III. Data processing on our social media pages.

IV. Further data processing.

 

 

I. General information

 

1. Contact

If you have any questions or suggestions regarding this information or if you wish to contact us regarding the assertion of your rights, please address your request to

 

ORCA van Loon Communications GmbH
Steinhöft 5-7
20459 Hamburg
Tel. +49 (0) 40 6963855 0
E-Mail info@orcavanloon.de

 

2. Legal basis

The data protection term “personal data” refers to all information that relates to an identified or identifiable person. We process personal data in compliance with the relevant data protection regulations, in particular the GDPR and the BDSG. We only process data on the basis of legal permission. We process personal data only with your consent (Section 15 (3) TMG or Art. 6 (1) (a) GDPR), to fulfill a contract to which you are a party, or at your request to carry out pre-contractual measures (Art. 6 (1) (b) GDPR), to fulfill a legal obligation (Art. 6 para. 1 lit. c GDPR) or if the processing is necessary to safeguard our legitimate interests or the legitimate interests of a third party, provided that your interests or fundamental rights and freedoms, which require the protection of personal data, do not prevail (Art. 6 para. 1 lit. f GDPR).

 

3. Duration of storage

Unless otherwise stated in the following information, we only store the data for as long as is necessary to achieve the processing purpose or to fulfill our contractual or legal obligations. Such legal storage obligations may arise in particular from commercial or tax law. From the end of the calendar year in which the data was collected, we will store personal data contained in our accounting data for ten years and personal data contained in commercial letters and contracts for six years. In addition, we will store data in connection with consents requiring proof and with complaints and claims for the duration of the statutory limitation periods. We will delete data stored for advertising purposes if you object to its processing for this purpose.

 

4. Categories of data recipients

We use processors to process your data. The processing operations carried out by such processors include, for example, hosting, maintenance and support of IT systems, customer and order management, order processing, accounting and billing, marketing measures or the destruction of files and data carriers. A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Processors do not use the data for their own purposes, but only process data on behalf of the controller and are contractually obliged to ensure appropriate technical and organizational measures for data protection. In addition, we may transfer your personal data to entities such as postal and delivery services, our principal bank, tax advisors/auditors or the tax authorities. Further recipients may arise from the following information.

 

5. Data transfer to third countries

Visiting our website may involve the transfer of certain personal data to third countries, i.e. countries in which the GDPR is not applicable law. Such a transfer is carried out in a permissible manner if the European Commission has determined that an adequate level of data protection is provided in such a third country. If no such adequacy decision has been made by the European Commission, personal data will only be transferred to a third country if suitable guarantees are provided in accordance with Art. 46 GDPR or if one of the conditions of Art. 49 GDPR is met.

 

Unless otherwise stated below, we use the EU standard contractual clauses for the transfer of personal data to processors established in third countries as suitable safeguards: https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX32010D0087.

If you consent to the transfer of personal data to third countries, the transfer will be carried out on the legal basis of Article 49(1)(a) of the GDPR.

 

6. Processing in the exercise of your rights

If you exercise your rights under Articles 15 to 22 GDPR, we process the personal data transmitted for the purpose of implementing these rights and to be able to provide proof of this. We will only process data stored for the purpose of providing and preparing information for this purpose and for the purpose of data protection control and will otherwise restrict processing in accordance with Article 18 GDPR.

These processing operations are based on the legal basis of Article 6(1)(c) GDPR in conjunction with Articles 15 to 22 GDPR and Section 34(2) BDSG.

 

7. Your rights

As a data subject, you have the right to assert your rights as a data subject against us. In particular, you have the following rights:

 

  • In accordance with Art. 15 GDPR and § 34 BDSG, you have the right to request information about whether and, if so, to what extent we process personal data about you or not.
  • You have the right to request that we correct your data in accordance with Art. 16 GDPR.
  • You have the right, in accordance with Art. 17 GDPR and § 35 BDSG, to request that we delete your personal data.
  • You have the right, in accordance with Art. 18 GDPR, to have the processing of your personal data restricted.
  • You have the right, in accordance with Art. 20 GDPR, to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
  • If you have given us a separate consent to the data processing, you can revoke this consent at any time in accordance with Art. 7 (3) GDPR. Such a revocation does not affect the lawfulness of the processing that has taken place up to the point of revocation on the basis of the consent.
  • If you believe that the processing of personal data concerning you is in breach of the provisions of the GDPR, you have the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

 

8. Right of objection

In accordance with Art. 21 (1) GDPR, you have the right to object to processing based on the legal basis of Art. 6 (1) (e) or (f) GDPR for reasons arising from your particular situation. If we process personal data about you for the purpose of direct marketing, you can object to this processing in accordance with Art. 21 (2) and (3) GDPR.

 

9. Data protection officer

You can contact our data protection officer using the following contact details:

 

E-Mail: datenschutzbeauftragter@ORCAVANLOON.DE

Herting Oberbeck Datenschutz GmbH

Hallerstr. 76, 20146 Hamburg

https://www.datenschutzkanzlei.de

 

 

II. Data processing on our website

When you use our website, we collect information that you provide yourself. In addition, certain information about your use of the website is automatically collected by us during your visit to the website. In data protection law, the IP address is also considered to be personal data. An IP address is assigned to each device connected to the Internet by the Internet provider so that it can send and receive data.

 

1. Processing of server log files

When using our website for purely informational purposes, general information that your browser transmits to our server is initially stored automatically (i.e. not via registration). This includes by default: browser type/version, operating system used, page accessed, previously visited page (referrer URL), IP address, date and time of server request and HTTP status code. The processing is carried out to protect our legitimate interests and is based on the legal basis of Art. 6 (1) (f) GDPR. This processing is for the technical administration and security of the website. The stored data will be deleted after 190 days, unless there is a justified suspicion of unlawful use based on specific indications and further examination and processing of the information is necessary for this reason. We are not able to identify you as a data subject on the basis of the stored information. Articles 15 to 22 of the GDPR therefore do not apply in accordance with Article 11(2) of the GDPR, unless you provide additional information to enable your identification in order to exercise your rights as set out in these articles.

 

2. Cookies

We use cookies and similar technologies on our website. Cookies are small text files that are stored by your browser when you visit a website. This identifies the browser used and allows it to be recognized by web servers. You have full control over the use of cookies through your browser. You can delete cookies at any time in your browser's security settings. You can object to the use of cookies through your browser settings in principle or for specific cases. Further information can be found on the website of the German Federal Office for Information Security: https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/EinrichtungSoftware/EinrichtungBrowser/Sicherheitsmassnahmen/Cookies/cookies_node.html

 

The use of cookies is partly necessary for the technical operation of our website and is therefore permissible without the user's consent. We may also use cookies to provide special features and content, as well as for analytical and marketing purposes. These may also include cookies from third-party providers (so-called third-party cookies). We only use such technically unnecessary cookies with your consent in accordance with § 15 para. 3 TMG or Art. 6 para. 1 letter a DSGVO. Information on the purposes, providers, technologies used, stored data and the storage duration of individual cookies can be found in the settings of our consent management tool.

 

3. Consent management tool

This website uses a consent management banner to control cookies. The consent banner enables users of our website to give their consent to certain data processing procedures or to revoke consent that has been given. By clicking the “Accept selection” or “Accept all” button, you consent to the use of the associated cookies. The legal basis under data protection law is your consent within the meaning of Article 6(1)(a) GDPR.

 

In addition, the banner helps us to be able to provide proof of the declaration of consent. For this purpose, we process information about the declaration of consent and further log data for this declaration. Cookies are also used to collect this data.

 

The processing of this data is necessary in order to be able to prove that consent has been given. The legal basis arises from our legal obligation to document your consent (Art. 6 para. 1 letter c) in conjunction with Art. 7 para. 1 GDPR).

 

4.       Google Analytics

We use the Google Analytics service provided by Google Ireland Limited (Google Ireland/EU) on our website. Google Analytics is a web analysis service that we use to collect and analyze data about the behavior of visitors to our website. Google Analytics uses cookies to enable an analysis of the use of our website. Personal data in the form of online identifiers (including cookie identifiers), IP addresses, device identifiers and information about the interaction with our website are processed. Some of this data is information that is stored on the device you are using. In addition, further information is stored on the device you are using via the cookies used. Such storage of information by Google Analytics or access to information already stored on your device will only take place with your consent in accordance with Section 15 (3) TMG.

 

Google Ireland will process the data collected on our behalf in order to evaluate the use of our website by users, to compile reports on the activities within our website and to provide us with further services associated with the use of our website and the internet. Pseudonymous user profiles can be created from the processed data. The setting of cookies and the further processing of personal data described here is carried out with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Art. 6 (1) (a) GDPR. You can revoke this consent at any time with effect for the future.

 

When using Google services, the possibility of data being transmitted to Google Inc. in the United States cannot be excluded. Please refer to the information in the section “Data transmission to third countries”. Users can find more information about data protection at Google in Google's privacy policy: https://www.google.com/policies/privacy.

 

We only use Google Analytics with activated IP anonymization. This means that the user's IP address will be shortened by Google Ireland within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. The IP address transmitted by the user's browser will not be merged with other data.

 

5.      Google Fonts

We use Google Web Fonts from Google Ireland Limited (Ireland/EU) on our website to display fonts. For such an integration, it is technically necessary to process your IP address so that the content can be sent to your browser. Your IP address is therefore transmitted to Google. This data processing is carried out in order to safeguard our legitimate interests in the optimization and economic operation of our website and is based on the legal basis of Art. 6 para. 1 letter f DSGVO. You can object to this data processing at any time via the settings of the browser used or certain browser extensions. One such extension is the matrix-based firewall uMatrix for the Firefox and Google Chrome browsers. Please note that this may result in functional restrictions on the website.

 

For Google services, a transfer of data to Google Inc. in the USA cannot be ruled out. Users can find more information about data protection at Google in Google's data protection information: https://www.google.com/policies/privacy

6.      YouTube

We use the YouTube service provided by Google Ireland Limited (Ireland/EU) on our website to embed videos. For such embedding, processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Google and Google may possibly set its own cookies. We use YouTube in “extended data protection mode” so that YouTube does not set any cookies to analyze user behavior. When integrating, we use a two-click solution. When using the two-click solution, no connection is initially established to the third-party provider; instead, a placeholder is first loaded from your own server. The IP address is therefore only transmitted when you confirm this with your click.

YouTube is therefore only used with your consent in accordance with Section 15 (3) of the German Telemedia Act or Article 6 (1) (a) of the GDPR.

 

YouTube cannot rule out the possibility that data may be transmitted to Google Inc. and YouTube LLC in the United States. Please refer to the information in the section “Data transfer to third countries”. For more information about Google's privacy practices, please see Google's privacy policy at https://www.google.com/policies/privacy

7.      Vimeo

We use the Vimeo service from Vimeo, Inc. (USA) on our website to embed videos. For such an integration, processing of your IP address is technically necessary so that the content can be sent to your browser. Your IP address is therefore transmitted to Vimeo and Vimeo may possibly set its own cookies. When embedding, we use a two-click solution. When using the two-click solution, no connection is initially established to the third-party provider; instead, a placeholder is first loaded from your own server. The IP address is therefore only transmitted when you confirm this with your click. Vimeo is only used with your consent in accordance with Section 15 (3) TMG or Art. 6 (1) (a) GDPR.

 

Vimeo cannot rule out the possibility of data being transmitted to the United States. The transmission will only take place with your consent in accordance with Art. 49 (1) (a) GDPR. For more information about Vimeo's privacy practices, please see Vimeo's privacy policy: https://vimeo.com/privacy

 

III. Data processing on our social media pages

We have a company page on several social media platforms. This is intended to provide further opportunities to share information about our company and to exchange ideas. Our company has company pages on the following social media platforms:

 

  • Instagram
  • Twitter
  • LinkedIn
  • Xing

 

When you visit or interact with a profile on a social media platform, your personal data may be processed. The information associated with a social media profile used also regularly constitutes personal data. This also includes messages and statements made using the profile. In addition, certain information about your visit to a social media profile is often automatically collected, which may also constitute personal data.

 

1. Visiting a social media page

 

a. Instagram page

When you visit our Instagram page, which we use to present our company or individual products from our range, certain information about you is processed. The sole controller of this personal data processing is Facebook Ireland Ltd (Ireland/EU – “Facebook”). Further information about the processing of personal data by Facebook is available at https://www.facebook.com/privacy/explanation. Facebook offers the option to object to certain data processing; information and opt-out options can be found at https://www.facebook.com/settings?tab=ads.

 

Facebook provides us with anonymized statistics and insights for our Instagram page that help us understand the types of actions people take on our page (known as “page insights”). These page insights are created based on certain information about people who have visited our page. This processing of personal data is carried out by Facebook and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our site and improving our site based on these findings. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR. We cannot assign the information obtained through the page insights to individual user profiles that interact with our Instagram page. We have entered into an agreement with Facebook for processing as joint controllers, which defines the distribution of data protection obligations between us and Facebook. For details about the processing of personal data to create page insights and the agreement we have with Facebook, please visit https://www.facebook.com/legal/terms/information_about_page_insights_data. With regard to this data processing, you have the option of asserting your rights as a data subject (see “Your Rights”) against Facebook as well. Further information can be found in Facebook's privacy policy at https://www.facebook.com/privacy/explanation.

 

Please note that, according to Facebook's data protection policy, user data is also processed in the United States or other third countries. Facebook only transfers user data to countries for which the European Commission has issued an adequacy decision in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

 

b. LinkedIn company page

In principle, LinkedIn Ireland Unlimited Company (Ireland/EU – “LinkedIn”) is solely responsible for the processing of personal data when visiting our LinkedIn page. Further information about the processing of personal data by LinkedIn can be found at https://www.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy.

 

When you visit our LinkedIn company page, follow this page or interact with it, LinkedIn processes personal data to provide us with anonymized statistics and insights. This provides us with information about the types of actions that people take on our page (so-called page insights). In particular, LinkedIn processes the data that you have already provided to LinkedIn via the information in your profile, such as data on function, country, industry, seniority, company size and employment status. In addition, LinkedIn will process information about how you interact with our LinkedIn company page, e.g. whether you are a follower of our LinkedIn company page. LinkedIn does not provide us with any of your personal data through the Page Insights. We only have access to the summarized Page Insights. It is also not possible for us to draw conclusions about individual members from the Page Insights information. This processing of personal data in the context of page insights is carried out by LinkedIn and us as joint controllers. The processing serves our legitimate interest in evaluating the types of actions taken on our LinkedIn company page and improving our company page based on these findings. The legal basis for this processing is Art. 6 (1) point f GDPR. We have entered into an agreement with LinkedIn regarding processing as joint controllers, which defines the distribution of data protection obligations between us and LinkedIn. The agreement is available at: https://legal.linkedin.com/pages-joint-controller-addendum. According to this, the following applies:

 

  • LinkedIn and we have agreed that LinkedIn is responsible for enabling you to exercise your rights under the GDPR. You can contact LinkedIn online via the following linkhttps://www.linkedin.com/help/linkedin/ask/PPQ?lang=de) or reach LinkedIn using the contact details in the privacy policy. You can contact the data protection officer at LinkedIn Ireland via the following link: https://www.linkedin.com/help/linkedin/ask/TSO-DPO. You can also contact us using the contact details provided to exercise your rights in connection with the processing of personal data as part of page insights. In such a case, we will forward your request to LinkedIn.

 

  • LinkedIn and we have agreed that the Irish Data Protection Commission is the lead supervisory authority that monitors processing for page insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (see dataprotection.ie) or with any other supervisory authority.

 

Please note that, according to the LinkedIn privacy policy, personal data is also processed by LinkedIn in the United States or other third countries. LinkedIn only transfers personal data to countries for which an adequacy decision has been made by the European Commission in accordance with Art. 45 GDPR or on the basis of suitable guarantees in accordance with Art. 46 GDPR.

 

c.       Twitter

Twitter Inc. (USA) is solely responsible for the processing of personal data when you visit our Twitter profile. Further information about the processing of personal data by Twitter Inc. can be found at https://twitter.com/de/privacy.

 

d.      Xing

New Work SE (Germany/EU) is the sole controller for the processing of personal data when visiting our Xing profile. Further information about the processing of personal data by New Work SE can be found at https://privacy.xing.com/de/datenschutzerklaerung.

 

2. Comments and direct messages

We also process information that you have provided to us via our company page on the respective social media platform. Such information may include the username used, contact details or a message to us. We are solely responsible for this processing. We process this data on the basis of our legitimate interest in contacting individuals with inquiries. The legal basis for the data processing is Art. 6 (1) (f) GDPR. Further data processing may take place if you have given your consent (Art. 6 (1) (a) GDPR) or if this is necessary to fulfill a legal obligation (Art. 6 (1) (c) GDPR).

 

IV. Further data processing

 

1. Contacting us by email

If you send us a message via the contact email provided, we will process the transmitted data for the purpose of answering your enquiry. We process this data on the basis of our legitimate interest in contacting the persons making the enquiry. The legal basis for the data processing is Art. 6 (1) (f) GDPR.

2. Customer and prospective customer data

If you contact our company as a customer or prospective customer, we process your data to establish or execute the contractual relationship to the extent necessary for this purpose. This regularly includes the processing of the personal master, contract and payment data provided to us, as well as contact and communication data of our contact persons at commercial customers and business partners. The legal basis for this processing of this data is Art. 6 (1) (f) GDPR and the processing is based on our legitimate interest in contacting your company. We also process customer and prospective customer data for evaluation and marketing purposes. These processing operations are carried out on the legal basis of Art. 6 (1) (f) GDPR and serve our interest in further developing our offer and informing you specifically about our offers. Further data processing may take place if you have consented (Art. 6 (1) (a) GDPR) or if this is necessary to fulfill a legal obligation (Art. 6 (1) (c) GDPR).

 

3. Applications

If you apply for a job at our company, we process your application data exclusively for purposes related to your interest in current or future employment with us and the processing of your application. Your application will only be processed and acknowledged by the relevant contact persons at our company. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. If we are unable to offer you employment, we will store the data you have provided for up to six months after any rejection for the purpose of answering questions related to your application and rejection. This does not apply if legal provisions prevent deletion, if further storage is required for the purpose of providing evidence or if you have expressly consented to longer storage. The legal basis for data processing is § 26 para. 1 p. 1 BDSG. If we store your application data for longer than six months and you have expressly consented to this, we would like to point out that this consent can be freely withdrawn at any time in accordance with Art. 7 (3) GDPR. Such a withdrawal of consent shall not affect the lawfulness of the processing carried out on the basis of the consent until the withdrawal.